Tales from the field - Building a modern IAM strategy - Part 1
** This is going to be a multi-part series... so i'll add each section as it is written at the top of this page... so make sure you come back :) **
Over the past 12 to 18 months, I've been working with one of my clients on building and defining a modern Identity and Access Management strategy. While I was there, I spent a fair bit of time trying to find examples on the internet where other people faced similar challenges, or had a write-up on some of the things that they had delivered. However, the I really couldn't find anything that gave me some honest pain points. I'm sure there are examples out there, but I really couldn't find them! Most of the content I found were from case-studies, which all had a marketing spin on them.
Therefore, I thought why not write up some of my experiences. So here it is, my 'tale from the field'. Please let me know your thoughts, and how your IAM projects have gone. I always love to hear any challenges that you faced, or issues you overcame.
Everyone does IAM... but do they do it well?
Where it all started
As I fired up my teams client and joined my first conference call on the project, I knew that the e-commerce and financial services client were already pushing to use the latest technology. Like any organisation, they had legacy infrastructure, outsourced contracts and a chunk of technical debt.. but they also had a leadership team who wanted to push the boundaries, and do things the right way.
This helped with setting the scene on what they wanted to achieve. The architecture and security team had already set out their stalls to deliver a zero-trust strategy. Over the past few years, they had made significant investments in their end user compute and connectivity strategy to move them to a'work from anywhere devices'. The biggest win in this space for them was the introduction of AAD joined and Intune managed devices. The pandemic had pushed them almost overnight to quickly re-architect how they delivered compute services to their users.
Networking had also seen shifts to the modern ways of connecting. Most applications were being presented externally using AzureAD application proxy, and where it wasn't possible, split tunneling was configured on their VPN client.
This was a great space to be in, so I knew I could build upon the recent successes, and drive some of the modern identity capabilities that were available within the Microsoft stack.
Principles
As with any strategy, I always set out to agree a core set of principles that help set the scene for any decisions moving forward. Each of these set out to assist with the business and technology teams to come to the right decision when implementing and choosing an architecture. These principles can often conflict with each other, but that is by design. If you can justify the decision against them, then it fits.
With that in mind, the core principles that we came up with:
- All users will have a single identity - Not only does this make the lives of the users easier, it helps to manage the life cycle of a users access, and to determine what, where and when they accessed a particular resource.
- Context based authorisation - This isn't that new to be fair, but organisations often fall into the location based mentality when allowing access... Are the users in the office? Ok, cool, in they go! With the constant change in location, sprawl of SaaS applications and multiple devices, this is no longer suitable. Therefore, validating a users security posture in realtime ensures user authorisation is suitable for the application.
- Automation, automation and more automation - Moving to an automated delivery model would free up their teams to focus on what mattered. Passing access decisions to accountable business owners and automatically revoking access would save a tonne of time.
- Persona Led - Moving away from custom account types, and following a persona model that aligned to HR roles would simplify management and deployment of access. Once these job roles are understood, so would the changing of them.
So thats it for part one, in Part 2, i'll dig into the defintion of personas and how they started to ease the burden. Keep an eye out for when this launches!